Over the years, I’ve worked for security companies and law enforcement, managed security audits and owned security for a division, and run a security unit for an analyst company. One of the recurring themes is that security is an obstacle to innovation and just getting the job done in a timely manner. Some of the most dramatic breaches I’ve seen have been connected to someone who saw company security as an obstacle that was discretionary, which it wasn’t, and then caused a breach because they felt that to get the job done, they had to ignore it.
This concept of seeing security as an obstacle or unnecessary corporate mandate from clueless executives often comes up in security surveys. People claim that complying with security can add weeks to the development process. If that is the case, there are teams that are meeting their milestone measurements by omitting some of the required security steps.
Facebook has become the poster child for a company repeatedly breached and now may have the government basically taking over the company (which, I expect, will eventually prove problematic to the firm’s survival).
I think this is all because we are looking at security like an obstacle rather than a competitive advantage and that if we really want to be successful and secure, that has to change.
Breaking the Compliance Mindset
Back when I was at IBM, one of the CFOs read an article on Tiger Teams and decided to turn internal audit into one. Rather than the typical audit process, where internal auditors largely look at assuring compliance and beat up on overworked and underpaid employees who don’t have the resources or training to do their jobs and catch the occasional insider crook, he instituted a very different approach. We were to go in and assess the business, much like an external consultant did. If there was a resource problem, rather than penalizing the overworked staff, we’d instead recommend the job be reconfigured so it could operate successfully. Rather than scapegoating the abused employees, we were free to remove the executive(s) who were abusing them and fill the spot ourselves until another could be found to fill the job.
The result was that rather than being avoided or treated like a tax audit (something no one wants), we were invited into organizations having difficulties because they trusted us to find the underlying cause and actually fix stuff. Yes, we still worked to assure compliance, but our primary mission was to make the company better to work in and far more efficient. It was an incredibly rewarding job and one that did the firm a lot of good.
Security can be approached in the same way. Rather than being another bureaucracy that is known for uncreative ways of saying “no,” security can become a repository for information and advice on how to do things quickly and safely. Or, in effect, rather than being an obstacle to making timelines, it can become a way to assure those timelines while protecting the project and the careers of those working on them.
Deep/Machine Learning to the Rescue
Historically, having security perform a more hands-on role inside a company would be problematic because those in security often don’t understand the business very well. But here, the current crop of machine learning and emerging deep learning platforms could provide the link to create the needed database of practices and automated compliance steps that assure the security and integrity of the effort and speed it through the development process.
Companies like Dell and IBM likely stand out because of their deep security competencies and related vast experience in this space as partners, but the effort must start inside the firm with a change in mindset from security as an obstacle to security as an accelerator.
Go Slow to Go Fast
I’ve competed in two sports where there is a concept that roughly translates into “go slow to go fast.” In car racing, it refers to entering a corner slowly to optimize your line through the corner and exit that corner more quickly, thus maintaining a higher speed by slowing down. In shooting, it refers to taking your time to acquire the target before pulling the trigger to avoid a miss. In both cases, this saying refers to quality being the most important aspect of speed because missing a corner or a target, regardless of how fast you are, is likely going to cause you to lose the related competition.
With security, the concept of assuring not only compliance but the safety of the customer and company data has never been more important, and a breach can kill the project or, increasingly, the company. Much like entering the corner or properly acquiring a target before shooting improves a competitor’s advantage, assuring a project doesn’t open the firm up to a breach assures not only the timeliness of the project but whether it, and those working on it, survive the process.
So much like a top driver knows to slow before entering a corner or a top shooter knows that the front sight is critical to hitting the target, a successful business manager should know that making security an essential part of the business is critical to remaining competitive.
Wrapping Up: Rethinking Security
We need to rethink security as a competitive edge and stop thinking of it as an impediment to getting business done. That old thinking is slowing down projects and resulting in avoidable breaches and severe security problems. We under-resource security, under-train the people, and we avoid this unit we’ve crippled like the plague because we crippled it. But a security breach is a product, company and career killer, so this traditional approach is brain-dead stupid.
Instead, we should be thinking of security like we think of brakes on a race car: as a critical part of winning the race. With the technology we have, we can get this done and turn security from an impediment to innovation and success, and into one of the most powerful accelerators for company prosperity. The costs of doing this wrong have become simply too great to ignore anymore. It’s time to rethink security as a competitive edge.